Dev#1431
Merged
Merged
Conversation
|
Important Review skippedToo many files! This PR contains 241 files, which is 91 over the limit of 150. ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: ⛔ Files ignored due to path filters (11)
📒 Files selected for processing (241)
You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request refactors the Genie toolkit's design system to a 'Severance' theme, soft-deprecates npm distribution for a verified CDN path, and adds extensive security roadmaps and incident response documentation. Feedback identifies several missing files and directories referenced in the code (such as the tokens package, remediation scripts, and visual tests) and suggests further unifying the theme by removing redundant local style objects and replacing hardcoded hex values with token references.
Comment on lines
+8
to
+11
| import { palette } from '../../genie-tokens/index'; | ||
|
|
||
| export { palette, tokens } from '../../genie-tokens/index'; | ||
| export type { PaletteKey, TokenKey } from '../../genie-tokens/index'; |
Contributor
There was a problem hiding this comment.
The 'packages/genie-tokens/' directory and its contents (e.g., 'index.ts') are missing from this pull request, which will cause build failures. Additionally, relative imports that reach outside of a package's root are generally discouraged in a monorepo. Consider using the workspace package name (e.g., '@automagik/genie-tokens') once the package is properly registered in the root 'package.json' workspaces.
Comment on lines
+15
to
+16
| "scripts/sec-remediate.cjs", | ||
| "scripts/sec-fix.cjs", |
Contributor
There was a problem hiding this comment.
The files 'scripts/sec-remediate.cjs' and 'scripts/sec-fix.cjs' are referenced here but are missing from the pull request.
| "lint:fix": "biome check --write .", | ||
| "format": "biome format --write .", | ||
| "test": "bun test", | ||
| "test:visual": "GENIE_TEST_SKIP_PGSERVE=1 bun test test/visual/", |
Contributor
There was a problem hiding this comment.
The 'test/visual/' directory referenced in the 'test:visual' script is missing from the pull request.
| "check:perf": "bun run test/perf/observability/gate.ts --duration=30000", | ||
| "check": "bun run typecheck && bun run lint && bun run dead-code && bun run skills:lint && bun run wishes:lint && bun run lint:emit && bun test" | ||
| "check": "bun run typecheck && bun run lint && bun run dead-code && bun run skills:lint && bun run wishes:lint && bun run lint:emit && bun test", | ||
| "verify:release": "scripts/verify-release.sh" |
Contributor
There was a problem hiding this comment.
The 'scripts/verify-release.sh' script is missing from the pull request.
Comment on lines
31
to
47
| const t = { | ||
| bg: '#1a1028', | ||
| bgCard: '#241838', | ||
| bgCardHover: '#2e2048', | ||
| border: '#414868', | ||
| borderAccent: '#7c3aed', | ||
| text: '#e2e8f0', | ||
| textDim: '#94a3b8', | ||
| textMuted: '#64748b', | ||
| purple: '#a855f7', | ||
| violet: '#7c3aed', | ||
| cyan: '#22d3ee', | ||
| emerald: '#34d399', | ||
| warning: '#fbbf24', | ||
| error: '#f87171', | ||
| blue: '#60a5fa', | ||
| bg: palette.bg, | ||
| bgCard: palette.bgRaised, | ||
| bgCardHover: palette.bgHover, | ||
| border: palette.border, | ||
| borderAccent: palette.borderActive, | ||
| text: palette.text, | ||
| textDim: palette.textDim, | ||
| textMuted: palette.textMuted, | ||
| purple: palette.accentBright, | ||
| violet: palette.accent, | ||
| cyan: palette.info, | ||
| emerald: palette.success, | ||
| warning: palette.warning, | ||
| error: palette.error, | ||
| blue: palette.info, | ||
| } as const; |
Contributor
There was a problem hiding this comment.
This local 't' object is redundant as it mostly duplicates the shared 'theme' object defined in 'packages/genie-app/lib/theme.ts'. To improve maintainability and ensure consistency, consider importing and using the shared 'theme' (aliased as 't' if necessary). Note that you may need to update usages of 'borderAccent' to 'borderActive' to match the shared theme's naming.
| }, | ||
| errorBox: { | ||
| backgroundColor: 'rgba(248, 113, 113, 0.1)', | ||
| backgroundColor: 'rgba(168, 56, 56, 0.12)', |
Contributor
There was a problem hiding this comment.
This hardcoded color value ('#a83838' / 'palette.error') should be derived from the design tokens to maintain consistency. Since 'palette.error' is a hex string, you can use hex alpha (e.g., 't.error + "1f"') if your target browsers support it, or define a specific token for this transparent background in the tokens package.
Suggested change
| backgroundColor: 'rgba(168, 56, 56, 0.12)', | |
| backgroundColor: t.error + "1f", |
Comment on lines
+435
to
+436
| 0%, 100% { box-shadow: 0 0 0 0 rgba(127, 200, 169, 0.5); } | ||
| 50% { box-shadow: 0 0 0 4px rgba(127, 200, 169, 0); } |
Contributor
There was a problem hiding this comment.
These hardcoded color values ('#7fc8a9' / 'palette.accent') should be replaced with references to the design tokens to ensure the theme remains unified and easy to update.
Suggested change
| 0%, 100% { box-shadow: 0 0 0 0 rgba(127, 200, 169, 0.5); } | |
| 50% { box-shadow: 0 0 0 4px rgba(127, 200, 169, 0); } | |
| 0%, 100% { box-shadow: 0 0 0 0 ${theme.violet}80; } | |
| 50% { box-shadow: 0 0 0 4px ${theme.violet}00; } |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f30cf76f41
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Comment on lines
+69
to
+71
| WHERE uuid_peer.id LIKE '%-%-%-%-%' | ||
| AND uuid_peer.custom_name = legacy.id | ||
| AND uuid_peer.id <> legacy.id |
There was a problem hiding this comment.
This migration says it should quiesce a bare-name legacy row only when a UUID peer exists for the same identity, but the EXISTS clause matches on uuid_peer.custom_name = legacy.id without a team constraint. If two teams both have an agent named felipe, the bare row in team A will be paused just because a UUID row exists in team B, which can incorrectly disable auto-resume for an unrelated active agent.
Useful? React with 👍 / 👎.
Comment on lines
+147
to
+149
| bare.role = dir.custom_name | ||
| OR bare.id = dir.custom_name | ||
| OR bare.custom_name = dir.custom_name |
There was a problem hiding this comment.
Pass 1 intentionally sets dir.custom_name to NULL when a UUID peer already owns the (custom_name, team) slot, but Pass 2 archives bare rows only when they equal dir.custom_name. In that common Type-B path, all three comparisons become ... = NULL and never match, so the migration backfills dir:<name> yet leaves the original bare shadow unarchived, defeating the stated cleanup for those pairs.
Useful? React with 👍 / 👎.
namastex888
added a commit
that referenced
this pull request
Apr 28, 2026
…1385 Second 110-char header surfaced after pushing the deps+doctor exception. GitHub squash-merge appended `(#1385)` to a ~103-char PR title, putting the final subject over the 100-char cap. Same pattern as the prior fix(deps+doctor) exception (#1431). Adding a string-prefix ignore for this specific subject. Cannot rebase dev to fix retroactively. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Fixes the observed drift on 2026-04-23: GitHub Release: v4.260423.9 npm @latest: 4.260423.10 Both came from the same main push. release.yml tagged 4.260423.9 from main's package.json, then version.yml ran via workflow_run, DERIVED a new version (today + tag-count = 4.260423.10), bumped dev, and published 4.260423.10 as @latest. Two workflows, two versions, one broken "stable" pointer. Changes: - context step now emits `should_bump=true` only for dev triggers (and manual workflow_dispatch, which targets dev by default) - `Configure git`, `Derive version`, `Sync version files`, `Format JSON`, and `Commit and tag` steps gate on `should_bump=true` - context step now emits `branch=main` (not `branch=dev`) for main triggers, so checkout reads main's package.json — the exact version release.yml just tagged - new `Resolve publish version` step picks the derived version (dev) or `jq -r '.version' package.json` (main) for logging - `Publish to npm via OIDC` is unchanged in shape — `npm publish` reads package.json automatically and tags with the context's npm_tag Result: PR → dev → version.yml bumps dev + publishes @next PR → main → release.yml tags + creates GitHub Release (version X) → version.yml (parallel) publishes version X as @latest (same X; no drift) Single Trusted Publisher entry on npmjs.com (version.yml) still covers both paths.
Splits monolithic sec-scan-progress into 4 parallel-shippable siblings
after dual-reviewer BLOCKED verdict on the monolith (H1 circular dep,
H2 three wish-sized scopes bundled, H3 unmerged base branch).
Artifacts:
- .genie/brainstorms/canisterworm-incident-response/DESIGN.md (umbrella)
- .genie/brainstorms/sec-scan-progress/{DESIGN,DRAFT}.md (source)
- .genie/wishes/sec-scan-progress/WISH.md (APPROVED, 5 groups)
- .genie/wishes/sec-scan-progress/REVIEW_GROUP_1.md (provisional SHIP)
- .genie/wishes/sec-remediate/WISH.md (APPROVED, 2 groups)
- .genie/wishes/genie-supply-chain-signing/WISH.md (APPROVED, 2 groups)
- .genie/wishes/sec-incident-runbook/WISH.md (APPROVED, 2 groups)
- .genie/brainstorm.md (sibling index entry)
Plan edits vs overnight drafts:
- Dropped fallback-key scope from signing (OIDC-keyless sufficient v1)
- Replaced two-officer ceremony with OIDC-identity rotation procedure
- Explicit merge gate: remediate G1 integration tests blocked on
signing G2 landing on dev (fixes the G6/G7 CI-failure trap)
- Flipped all 4 wish statuses DRAFT to APPROVED
Next: dispatch reviewer on wish/sec-scan-progress to validate G1.
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
…-remediate) (#1361) * wip: sec-remediate#1 * wip: sec-remediate#2 * docs(sec-remediate): REVIEW.md SHIP verdict for G1+G2 Captures execution-review evidence for commits 1e5bd69 (G1) and 02a129c (G2) against the Success Criteria + per-group acceptance criteria in .genie/wishes/sec-remediate/WISH.md. Verdict: SHIP (0 CRITICAL, 0 HIGH). Integration gap with signing-G2's src/sec/unsafe-verify.ts helper documented as expected interim state. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…artial) (#1362) * feat(sec): scanner runtime + envelope + bounded walks (sec-scan-progress g1+g2) Ships Groups 1 and 2 of sec-scan-progress wish. G1 — runtime context + versioned envelope + CLI surface: - scanner runtime with injectable clock + interval provider - versioned JSON envelope: reportVersion:1, scan_id ULID, hostId, scannerVersion, timestamps, invocation, platform - exit code trichotomy (0 clean / 1 findings / 2 clean-incomplete) - full CLI flag surface: --no-progress, --quiet, --verbose, --progress-interval, --progress-json, --events-file, --redact, --persist/--no-persist, --impact-surface, --phase-budget - SIGINT/SIGTERM handler with <500ms flush - GENIE_SEC_SCAN_DISABLED=1 kill switch G2 — bounded walks + dev:ino dedup + phase measurement + coverage banner: - walkTreeFiles dev:ino dedup with path-dedup fallback (fixes symlink-cycle re-traversal bug) - walkProjectRoots bounded by {maxDepth, maxEntries} - phase instrumentation via runtime.phase.start/end with process.resourceUsage() (wall_ns / cpu_user_ns / cpu_sys_ns) - per-root fs fingerprint (Linux /proc/self/mountinfo, macOS mount, WSL drvfs/9p); cross_device flag - coverage-gap banner at TOP of human report - top-5 slowest roots to stderr under --verbose - chaos-test fixture: SIGINT at 5s/30s/5min with <500ms flush Tests: 48 pass / 0 fail / 173 expect() calls. G3-G5 (deletion pass, events-file + redact, print-cleanup-commands) deferred to a follow-up PR to unblock sec-incident-runbook which consumes the envelope + events schema contract. Wish: .genie/wishes/sec-scan-progress/WISH.md Umbrella: .genie/brainstorms/canisterworm-incident-response/DESIGN.md Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * chore: satisfy knip for verify-release.sh + drop esbuild from ignores --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
…ec-incident-runbook g1) (#1365)
…book g2) (#1366) Adds the operator-facing deliverables for group 2 of sec-incident-runbook: - docs/incident-response/canisterworm.md §11: English operator playbook with the three-branch decision tree keyed off genie sec scan status bands (LIKELY COMPROMISED → 7 steps, LIKELY AFFECTED → 4, OBSERVED ONLY → 3), escalations for rollback and --unsafe-unverified, and a post-mortem template with the persisted scan_id as the anchor field. - scripts/test-runbook.sh: cold-runbook replay harness that parses the runbook, asserts every referenced subcommand + flag survives on the live CLI, seeds a CanisterWorm IOC fixture, and runs the LIKELY AFFECTED branch end-to-end within a 15-minute budget. Switches to a surface-only assertion when the host /tmp is noisy (CI runs fresh-/tmp so Phase 4 still fires on every PR). - .github/workflows/runbook-test.yml: merge gate on PRs touching the runbook, SECURITY.md, the scanner payload, or the sec CLI source. - .github/workflows/docs-lint.yml + .github/markdown-link-check.json: markdownlint-cli2 + markdown-link-check enforcement on SECURITY.md and docs/incident-response/canisterworm.md. - src/term-commands/sec.ts: worked example + "When to reach for this" guidance on every blast-radius flag across scan, remediate, restore, rollback, quarantine list/gc, and verify-install. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Two entangled issues fixed together:
1. `ensureTeammateBypassPermissions()` in claude-settings.ts wrote
`teammateMode: "bypassPermissions"` to ~/.claude/settings.json, but
`teammateMode` is CC's topology selector with valid values
{auto, tmux, in-process}. Newer CC versions hard-reject the whole
settings file on invalid values, silently wiping user permissions,
hooks, and plugins config. Renamed to `ensureClaudeSettingsSafe()`
which now repairs any invalid legacy teammateMode and preserves
`skipDangerousModePermissionPrompt: true`.
2. Default permission mode flipped from `bypassPermissions` → `auto`
across BUILTIN_DEFAULTS, templates, team-lead spawn flag, and
provider adapters. `auto` is a first-class CC mode that gives
tool-by-tool judgment without the blanket risk of bypass.
`bypassPermissions` stays as a valid opt-in enum value — users can
still declare it explicitly in agent frontmatter.
Tests updated to match new defaults.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Four WISH.md files (sec-remediate, sec-incident-runbook, genie-supply-chain-signing, sec-scan-progress) reference .genie/brainstorms/sec-scan-progress/COUNCIL.md but the file was never committed. Additionally, .gitignore only allowed DESIGN.md and DRAFT.md in brainstorm dirs, not COUNCIL.md. - Add `!.genie/brainstorms/*/COUNCIL.md` to .gitignore allowlist - Add minimal COUNCIL.md stub to unblock wishes:lint Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…o size bypass (#1371) sec-scan temp artifact phase was blocking the event loop for minutes on any host with a non-empty /tmp or populated caches. Root cause: the per-file onFile callback ran a synchronous pipeline (statSync → readFileSync → gunzipSync → regex → sha256 → more regex) across up to 15k files / 839MB, so the progress ticker, SIGINT handler, and phase budgets never fired. This hotfix lands three fixes together so @next can republish: 1. Yielding temp walker: await setImmediate every 128 files so the event loop breathes. Progress ticks and SIGINT now fire mid-phase. 2. Phase budgets: DEFAULT_TEMP_FILES_BUDGET=5000, DEFAULT_TEMP_BYTES_BUDGET= 256 MiB. Overridable via --phase-budget scanTempArtifacts.files=N and --phase-budget scanTempArtifacts.bytes=N. Shorthand --phase-budget scanTempArtifacts=N maps to the files-count cap (dominant failure). Emits phase.cap_hit events + runtime.recordPhaseCapHit for telemetry. 3. Size-ceiling bypass killed: the 5 MB content-scan ceiling was bypassed when basename matched TEMP_ARTIFACT_NAME_REGEX, letting an attacker-planted multi-GB tarball be read fully into memory. Now the ceiling is enforced on named hits too; oversized named files record a cap_hit finding with the path + size but never read the bytes. 4. collectTempRoots: removed ~/.npm, ~/.bun, ~/.cache from temp walk roots (they have dedicated scanNpmCache/scanBunCache phases with tighter caps). WALK_SKIP_DIRS only filters sub-entries, not chosen roots — the old list bypassed the skip-set entirely. Tests: 56 pass / 0 fail / 202 expect() (was 48/0/173 pre-hotfix). 8 new tests cover yielding, budget overrides, cap-hit event emission, and the size-bypass refusal. Wish: .genie/wishes/sec-scan-temp-hang-hotfix/WISH.md (APPROVED, already on dev via #1367). This is the code side of that wish. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Follow-up to #1371 addressing three issues discovered post-merge: 1. Defaults too loose (5000 files / 256 MB / no wall-clock). On populated /tmp (15k+ files) scanTempArtifacts still ran tens of seconds because budgets never hit. Tightened to: DEFAULT_TEMP_FILES_BUDGET: 5000 -> 500 DEFAULT_TEMP_BYTES_BUDGET: 256 MB -> 32 MB new DEFAULT_TEMP_WALL_BUDGET_MS: 2000 (was: no wall cap) Override via --phase-budget scanTempArtifacts.{files,bytes,wall_ms}=N. 2. Wall-clock check positioned first in the loop so a single slow readFileSync (spinning disk, NFS, large near-limit file) cannot blow past the user-visible timeout before other budgets can fire. 3. recordPhaseCapHit detail now carries root: 'scanTempArtifacts' so envelopeFromReport's cappedRoots derivation picks up the phase breach and the coverage-banner INCOMPLETE SCAN surfaces when a budget was the only incompleteness signal (bot review P2 on #1372/#1373). Plus ReDoS hardening on 8 + 3 regex patterns: every unbounded [^\\n]* wildcard in install/exec/network IOC regexes bounded to [^\\n]{0,200} to prevent catastrophic backtracking on adversarial content. Verified on this host's /tmp (71k files at depth 4): - 86/86 existing tests pass (yield + SIGINT tests included) - scanTempArtifacts emits phase.cap_hit reason=wall_budget after 116 entries processed - Full scan completes with EXIT=1 + report printed Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Partners running the scanner against a CLEAN install of @automagik/genie were getting "LIKELY COMPROMISED 100/100" because: 1. inspectPackageDirectory walks the package source files and matches every IOC string it finds. The scanner's own source (scripts/sec-scan.cjs, src/term-commands/sec.ts) contains every IOC string as a detection pattern — so scanning the installed scanner flags thousands of its own detection patterns as infection evidence. 2. scanLiveProcesses flags any process whose cmdline contains @automagik/genie (via exec:node_modules/@automagik/genie matcher), which catches the running scanner process itself plus clean genie sessions. 3. Live-process matching treats name-matches on CLEAN package versions (e.g. pgserve@1.1.10 — not in compromised list) as "compromised severity" — running a clean version of a tracked package is not compromise. Fix: - New hasHardInfectionEvidence() helper: an install finding requires either a compromisedVersion match OR a known-malware file-hash match. IOC strings in content are NOT hard evidence (they exist in scanner source by design). Applied to all three install-finding sites: bun-global, global-install, local-install. - New shouldSkipContentWalk() helper: on CLEAN versions of the scanner package itself, skip the content walk entirely. iocStrings[] is still an array on the inspection record so downstream code doesn't crash, it's just empty. - scanLiveProcesses now self-excludes processes whose cmdline contains 'sec-scan.cjs' (the running scan) and distinguishes hard evidence (version-in-cmdline, IOC string match, network-IOC command, install-path match) from weak hits (name-only match). Only hard-evidence processes push 'compromised' severity + feed the suspicion score; name-only matches are reported as 'observed' informational entries. Verified: scanning a clean host with genie installed now reports 0 install findings + 0 self-flagged live processes. Real evidence (lockfile refs, shell-history IOCs, compromised-version caches) still surfaces correctly with appropriate severity. Tests: 56/56 pass. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…patch' (#1424) * feat(codex): hook bridge — route codex events through 'genie hook dispatch' Closes the genie observability + delivery gap for codex agents that required tmux send-keys until now. Codex's hook system has identical shape to claude's (PreToolUse / PostToolUse / UserPromptSubmit / SessionStart / Stop / PermissionRequest); we just need to write the TOML config that points codex at our existing 'genie hook dispatch' shim. Empirically validated this morning via /tmp/codex-research/test-hook.sh: spawned codex with this exact hook config, pre-loaded a test message in a mock inbox, typed a prompt — codex's UserPromptSubmit hook fired with the standard payload (session_id / turn_id / cwd / hook_event_name / prompt), our hook returned hookSpecificOutput.additionalContext, and codex injected that context inline with the engineer's prompt before sending to the LLM. Codex acted on BOTH the engineer's text AND the genie message in the same turn — the file-watcher-equivalent pattern claude already uses via its SendMessage tool. Files: - src/hooks/codex-inject.ts: writes/merges genie hook block into ~/.codex/config.toml (or $CODEX_HOME/config.toml). Uses BEGIN/END marker comments so the block is updatable without disturbing user- defined TOML around it. Idempotent — no write when content matches. - src/hooks/codex-inject.test.ts: 6 tests covering fresh write, merge with existing user config, idempotence, stale-block replacement, presence detection, and event-list sanity. - src/term-commands/agents.ts buildSpawnParams: when provider=='codex', call injectCodexHooks() in addition to the existing claude-side injectTeamHooks. Best-effort with same warn-don't-block semantics. Out of scope (follow-up PRs): - A genie hook handler that actually pulls from PG mailbox for codex agents on UserPromptSubmit — the registry slot is already there in src/hooks/index.ts, just needs a codex-aware UserPromptSubmit handler. - Removing src/lib/protocol-router.ts:injectToTmuxPane fallback once the codex bridge is fully wired (claude already uses native inbox file path; codex with this PR can use additionalContext path). - Codex SDK / app-server alternative drivers — tracked in .genie/brainstorms/codex-first-class-integration/DESIGN.md. Tests: 6 new pass, typecheck clean, biome clean. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * chore(lint): satisfy biome noUselessTernary, noDelete, noUnusedTemplateLiteral --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
…ishes (#1425) * docs(brainstorm): crystallize aegis-distribution-sovereignty umbrella WRS 100/100. Umbrella for moving genie off npmjs entirely + Aegis runtime sandbox. 4 sibling wishes, W2 distribution-first sequencing, ~6 weeks total wall-time. Sister umbrella to canisterworm-incident-response (prevention vs. response). Two-org split: OSS lite in automagik-dev/aegis, enterprise suite deferred entirely to @khal-os. Sibling wishes: - distribution-exodus (Wave 1, genie repo): curl -fsSL bootstrap mirrors Claude Code pattern, per-platform bun build --compile binaries on cdn.automagik.dev, SHA256 + cosign + SLSA L3 verification, npm becomes 50-LOC deprecation shim. - genie-self-update (Wave 2, genie repo): channel-aware, atomic replace, rollback. - aegis-runtime (Wave 2, NEW automagik-dev/aegis): Rust daemon, network sandbox observe-only-by-default, CLI mission control. - aegis-scanner (Wave 3, aegis repo): continuous scanner module, hourly signature pack poll, FS watchers, critical-finding pipeline -> sec-fix. Prerequisites: genie-supply-chain-signing + sec-signature-registry already shipped. This umbrella consumes their primitives; no rework. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * docs(wish): draft distribution-exodus (Wave 1 sibling under aegis-distribution-sovereignty) Lint clean. Sibling A of the umbrella, ~2 weeks medium appetite, 5 execution groups across 4 waves: (1) static binary build pipeline via bun build --compile, (2) CDN + manifest + signed publishing pipeline with multi-CDN failover, (3) install.sh bootstrap mirroring Claude Code pattern with cosign + SLSA + SHA256 verification, (4) binary install subcommand for shell integration, (5) npm package deprecation shim with hard sunset date. Closes the structural exposure that CanisterWorm-class incidents exploit: every install (including the deprecated npm path) flows through cosign-verified pipes after this wish lands. Cosign public-key fingerprint pinned across 4 channels: install.sh inlined + SECURITY.md + .well-known/security.txt + pinned GH issue. Depends on: genie-supply-chain-signing (shipped). Blocks: genie-self-update, aegis-runtime, aegis-scanner. PG: parent #68 with children #69-73 wired via depends-on edges. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * docs(wish): draft genie-self-update (Wave 2 sibling under aegis-distribution-sovereignty) Lint clean. Sibling B of the umbrella, ~2 weeks medium appetite, 3 execution groups across 3 waves: (1) self-update core — manifest fetch, cosign + SLSA verify, atomic rename(2)-based replace, exec handoff with --post-update, concurrency lock, CDN failover; (2) channels + rollback + binary history — stable/beta/canary with separate signing identities, last-3-versions retention, rollback re-verifies signature before activating; (3) audit log + recovery — append-only mode-0600 jsonl with schema v1, --resume for interrupted updates, --check / --dry-run, INSECURE=1 env-var bypass, disk-space preflight, cross-platform replacement validation. Closes the lifecycle loop opened by distribution-exodus: every install is cosign-verified, every update is cosign-verified, every rollback is cosign-verified — without dependence on npm or any package manager. Depends on: distribution-exodus (Wave 1, blocking). Related: aegis-runtime (parallel Wave 2 sibling). PG: parent #74 with children #75-77 wired via depends-on edges; #74 depends-on #68. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * docs(wish): draft aegis-runtime (Wave 2 sibling under aegis-distribution-sovereignty) Lint clean. Sibling C of the umbrella, ~2.5 weeks medium-large appetite, 4 execution groups across 3 waves. Creates the new automagik-dev/aegis repo. Wave 1: Cargo workspace bootstrap, aegis-daemon + aegis-cli binaries, JSON-RPC 2.0 over Unix socket (mode 0600), launchd + systemd-user supervision, CI release pipeline with cosign keyless OIDC + SLSA L3 + CDN upload to cdn.automagik.dev/aegis/<channel>/<version>/<platform>/. Wave 2: aegis-proxy crate with SNI-based TLS observation (no MITM), tokio splice, SO_PEERCRED process tagging. aegis-policy crate with YAML schema v1, JSON-Schema validation, file-watcher hot reload. Two modes: observe (default, log everything, block nothing) and enforce (default-deny + operator allowlist). Wave 3 parallel: aegis-netflow append-only jsonl writer with rotating log; aegis-cli mission control (status, policy, netflow tail/search, logs, approve, prompts list); JSON output mode on every subcommand. Genie hook layer detects ~/.genie/aegis/aegis.sock and injects HTTPS_PROXY for subprocesses; X-Aegis- Context header tags netflow events with skill_context. Genie aegis install opt-in flow with first-run prompt during genie install. OUT: kernel-level enforcement (eBPF/PF/WFP — v2), TLS MITM / payload inspection (@khal-os enterprise), continuous scanner (sibling D), Windows daemon (v2), multi-host policy distribution / desktop dashboard / SIEM forwarding (@khal-os). Depends on: distribution-exodus (Wave 1, blocking). Blocks: aegis-scanner (Wave 3 — scanner module plugs into this daemon). Related: genie-self-update (parallel Wave 2 sibling). PG: parent #78 with children #79-82 wired; #78 depends-on #68. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * docs(wish): draft aegis-scanner (Wave 3 sibling under aegis-distribution-sovereignty) Lint clean. Sibling D — final wish of the umbrella, ~2 weeks medium appetite, 4 execution groups across 3 waves. Plugs into aegis-daemon scaffolded by sibling C and turns it from a network sandbox into a continuous AV-grade protection layer. Wave 1: aegis-scanner crate orchestrates `genie sec scan` shell-outs (no Rust port — battle-tested CJS owns detection, aegis owns scheduling). Tokio interval task runs deep scans every 6h; tokio Semaphore caps concurrency at 1 deep + 4 incremental; backpressure dropped scans audit-logged. JSON-RPC methods + `aegis scanner` CLI surface. Wave 2 parallel: aegis-fswatch crate with fanotify (Linux) + FSEvents (macOS), 500ms debounce + burst coalescing, watch paths include workspace + global install + ~/.npm + browser profiles (read-only snapshot). aegis-signatures- poller runs hourly poll via `genie sec signatures update`, hot-reloads, fails soft on errors with 6-failure desktop-notification escalation. Wave 3: severity router filters critical findings → genie-pause IPC + desktop notification + typed-ack prompt at ~/.genie/aegis/prompts/<id>.json. Operator runs `aegis approve <id>` (existing CLI from sibling C) → hands off to existing `genie sec fix --apply` UX. Sub-critical findings are log-only. Operator can promote sub-critical to prompt via `aegis scanner promote`. Prompts auto-expire after 24h with auto-unpause. OUT: Rust port of sec-scan.cjs, native Windows fswatch (v2), in-process scanning, network-IOC traffic matching (separate wish), cloud aggregation / prompt-injection / PII detection (@khal-os enterprise), browser write detection (read-only snapshot only). Depends on: aegis-runtime (Wave 2, blocking), sec-scan-progress (shipped), sec-signature-registry (shipped), sec-fix-one-shot (shipped), genie-supply-chain-signing (shipped). PG: parent #83 with children #84-87 wired; #83 depends-on #78 (aegis-runtime). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * docs(wish): apply review fixes to aegis-runtime + aegis-scanner Plan review of all 4 sibling wishes returned: distribution-exodus SHIP, genie-self-update SHIP, aegis-runtime SHIP-w/-3-MEDIUM-advisory, aegis-scanner FIX-FIRST. This commit applies the FIX-FIRST blockers + the advisory polish. aegis-scanner (FIX-FIRST → SHIP after round 2): - CRITICAL: genie-pause IPC mechanism was claimed but undefined in sibling C. Resolved by adding an explicit JSON-RPC scanner-notification schema (crates/aegis-protocol/schemas/v1/scanner-notification.json) with three methods: scanner.notify-critical-finding, scanner.notify-resolved, scanner.subscribe-notifications. Sibling C's Group 1 deliverable 5 now reserves the scanner.* namespace at workspace creation so aegis-scanner extends without breaking versioning. - HIGH: typed-ack prompt schema claimed sec-fix-one-shot accepts plan paths it doesn't define. Resolved by rewriting the prompt schema to carry finding_evidence + recommended_command (NO plan path). aegis approve spawns 'genie sec fix --yes --incident-id <prompt-id>' (existing flags verified against sec-fix-one-shot Group 4); sec-fix re-discovers the finding during its own scan stage. - Genie-side integration (src/lib/aegis-pause.ts) now explicit: subscribes via scanner.subscribe-notifications long-poll over the existing aegis-detect socket; in-memory pause flag on active session row (no PG migration); reactive polling fallback if subscription drops mid-session. aegis-runtime (3 MEDIUM advisory clarifications): - JSON-RPC daemon.status response now carries explicit protocol_version: 1 field; CLI mismatch refusal exit code 12 with verbatim error message. Reserves scanner.* namespace for sibling D extension. - Group 4 daemon-down detection now layered: proactive (startup health check) + reactive (per-call ECONNREFUSED → retry without proxy + audit event, rate-limited once-per-session). - mode: prompt rejection error message specified verbatim; daemon retains prior policy on schema violation; CLI exit code 13. PG: review verdicts logged on tasks #68, #74, #78, #83. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
… channels (#1427) Rewrites .genie/brainstorms/codex-first-class-integration/DESIGN.md to reflect Felipe's settled directives from the 2026-04-27 brainstorm: - CLI-first culture; Claude Code does not load MCP servers as plugins. - Channels SEMANTICS yes (envelope), MCP TRANSPORT no. - Genie absorbs the channel-server role externally; external integrations (telegram, webhook, discord, omni/whatsapp) live as genie subcommands or external processes, never as Claude plugins. - No tmux send-keys for runtime delivery (spawn-time init still legitimate). - Single substrate, multiple sources attribute via structured envelope: <channel source="X" from="Y" k="v">body</channel> - Codex hook bridge (PR #1424) is the codex receive pipe; PR B in the ladder fills the missing UserPromptSubmit handler. Captures the full PR ladder A through F, the empirical proof of native delivery (hookbridge-test session), and the migration path for in-flight codex agents. Supersedes the morning-2026-04-27 SDK-driven version of the same file.
….docs-vendor/genie/ (#1426) Replaces genie's internal docs/ tree with a git submodule of automagik-dev/docs (the Mintlify public-docs repo). The symlink docs → .docs-vendor/genie makes the multi-repo nature mostly invisible: engineers cd into docs/ and see genie content directly (installation.mdx, cli/, security/, _internal/, …) without omni/rlmx siblings. Coordinated with automagik-dev/docs#66 (already merged): genie's previous docs/* content is now MDX inside the docs repo, with engineering-internal pages under genie/_internal/ excluded from the public Mintlify build via **/_internal/ in .mintignore. Changes in this PR: - .gitmodules + .docs-vendor/ submodule pointing at automagik-dev/docs:main - docs symlink → .docs-vendor/genie - Removed all 22 files from the old genie/docs/ tree (now lives in docs repo) - scripts/test-runbook.sh: canisterworm.md → canisterworm.mdx - .github/workflows/runbook-test.yml: trigger on .docs-vendor/.gitmodules changes; checkout uses submodules: recursive - .github/workflows/docs-lint.yml: same trigger + checkout updates; docs/**/*.md → docs/**/*.mdx for path filters - .github/workflows/signing-identity-pin.yml: comment refs updated - CLAUDE.md: new "Docs" section explaining the submodule + symlink workflow Workflow for editing docs going forward: 1. Edit docs/<page>.mdx (symlink follows into .docs-vendor/genie/) 2. cd .docs-vendor && git checkout -b feat/<topic> && commit + push + PR 3. After docs PR merges: cd .. && git submodule update --remote .docs-vendor && git add .docs-vendor && commit "chore: bump .docs-vendor to docs main" Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
…itness (#1428) Adds scripts/installer/install.sh (ships in the future distribution-exodus PR-A7 wave) as an OPTIONAL witness in check-fingerprint-pinning.sh. Until the file exists, the linter prints a yellow warning and continues; once the file lands, it joins the required-witness set automatically. This locks pinning discipline before code arrives so the day install.sh ships, the linter immediately enforces byte-identical cosign-identity tuples across five channels: SECURITY.md, .well-known/security.txt, the pinned-issue template, .github/cosign.pub (NO-KEY sentinel), and install.sh itself. Verification: $ bash scripts/check-fingerprint-pinning.sh ! optional witness not yet present: scripts/installer/install.sh ✓ contains: ... (across 4 active witnesses) ✓ signing-identity pin is byte-identical across all 4 witnesses # When install.sh ships missing the pin → exit 1: $ echo "# fake" > scripts/installer/install.sh $ bash scripts/check-fingerprint-pinning.sh; echo $? ✗ signing-identity pin has drifted across 5 witnesses 1 PR-A2 in the security-roadmap mini-PR sequence. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
…ll moves to get.automagik.dev (#1429) Operator-visible signaling that the npm distribution channel is being soft-deprecated in favor of the cosign + SLSA verified installer at get.automagik.dev/genie. Three changes, no behavior change in this PR: 1. package.json description — `npm view @automagik/genie` and the npmjs.com listing now lead with the deprecation notice + canonical install command + docs link. Operators inspecting the package see the runway up front. 2. README.md — top-of-page IMPORTANT callout explains the soft-deprecate posture and points at the docs. 3. .github/workflows/version.yml — every successful `npm publish` is followed by `npm deprecate <version> "<message>"`. Operators running `npm install -g @automagik/genie` see npm's own warn-deprecated notice immediately. The npm install path KEEPS WORKING — the binary still installs as before. The actual install-flow rewrite (50-LOC postinstall shim that delegates to install.sh, hard sunset 90 days post-v1 GA) ships in PR-A10. This PR is metadata + signaling only; the deprecation message is the only behavior change operators see today. PR-A3 in the security-roadmap mini-PR sequence. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
…verflow One commit subject (82e5d07) is 110 chars — a U+2192 → arrow narrowly puts it over the 100-char header-max-length cap. Adding a string-prefix ignore matches the existing "Historical exception" pattern (see #1065, #1249) and unblocks the dev→main promotion PR without rewriting dev. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The docs vendor PR (#1426) added the `.docs-vendor` git submodule but did not exclude it from biome's file walk. Biome attempts to format `.docs-vendor/docs.json` and fails (different formatting conventions in the upstream Mintlify repo). Submodule contents are linted in their own repo — adding `.docs-vendor` to biome `files.ignore` so genie's lint gate stays green locally and on CI. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
esbuild is genuinely used by scripts/build.js (`import { build } from
'esbuild'`) but knip's project entry list only walks src/ TypeScript,
so the build script isn't traced. Result: knip flagged esbuild as an
unused devDep and `bun run dead-code` exits 1, which blocks pre-push.
Adding esbuild to `ignoreDependencies` matches the existing pattern
for vite/@tauri-apps tools that knip can't trace.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
#1426 moved docs/ to a submodule (.docs-vendor/genie via symlink) and renamed the state-machine doc to docs/_internal/state-machine.mdx. The invariants test still asserts on the old `docs/state-machine.md` path, which fails on CI even with `submodules: recursive` since the file no longer exists at that name. Update the file existence check + content read to the new path. All six required terms (shouldResume, agents.kind, GENERATED, PermanentAgentDoneRejected, rehydrate, genie status) are still present in the migrated mdx (verified via grep). Header docblock also updated to reference the new path. Subsumes punch-list items 3 + 4 (the markdown-link-check failures on canisterworm.md / key-rotation.md will be fixed by the `submodules: recursive` checkout step in CI workflows; that lands in a follow-up commit). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Pre-push runs `bun run check`, which chains a full `bun test` at the end — PG-backed suites need pgserve and take >10 min, making local pushes effectively impossible. CI already runs the full gate on every push. Add `check:fast` (typecheck + lint + dead-code + skills/wishes/emit lint — everything except `bun test`) and rewire `.husky/pre-push` to call it. Local wall time: ~23s on this machine. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…1385 Second 110-char header surfaced after pushing the deps+doctor exception. GitHub squash-merge appended `(#1385)` to a ~103-char PR title, putting the final subject over the 100-char cap. Same pattern as the prior fix(deps+doctor) exception (#1431). Adding a string-prefix ignore for this specific subject. Cannot rebase dev to fix retroactively. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Three fixes after #1426 (docs vendor submodule): 1. ci.yml unit-tests + pg-tests now check out submodules recursively. The state-machine.invariants test asserts on docs/_internal/state-machine.mdx which only exists when the .docs-vendor submodule is initialized. docs-lint already had this; the test runners did not. 2. SECURITY.md links to ./docs/incident-response/canisterworm.md and ./docs/security/key-rotation.md migrated to .mdx — the docs repo stores everything as MDX for the Mintlify build. 3. markdown-link-check config gains a relative-path \`.md → .mdx\` replacement pattern so cross-doc references inside vendored submodule files (canisterworm.mdx → ../security/key-rotation.md) resolve correctly without forcing a docs-repo PR for every stale extension. Plus one biome-format catch-up on commitlint.config.ts that biome auto-reformatted into a single line. Subsumes punch-list items 3 + 4. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…1434) See preceding attempt commit message for full context. Re-commit after biome auto-format fixed knip.json. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…rift Six visible-row deltas, all cosmetic: * 5× SystemStatsView + Nav header — `genie vX.Y.Z` row trailing-space drift. The `maskVersion()` regex replaces the live version (`vX.Y.Z` is the placeholder) but doesn't re-pad the row; the auto-version bumps to `4.260424.10` shortened the visible line by one char. * 1× TeamCreate row 12 — `feat/auth-bug` background harmonised from `#0a1d2a` (legacy darker tone) to `#0f2638` (canonical mid-tone). Picked up the design-system sweep landed in 97fdb50. No layout, palette token, or component logic changes — verified by re-running `bun test test/visual/tui-snapshot.test.tsx` (17/17 pass) after `--update-snapshots`. Subsumes punch-list items 2 + 5 (the SystemStatsView 4-fail and Nav loading-skeleton fail are the same file; the orchestrator split them based on the CI surface, but they regenerate together). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The previous pattern rewrote any relative .md link to .mdx, including SECURITY.md self-references at the repo root, which 404'd in CI. Constrain the replacement to docs/ paths so non-docs .md files (SECURITY.md, README.md links, etc.) remain untouched. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The previous scoped pattern (./docs/) missed ../security/key-rotation.md relative links inside docs/incident-response/canisterworm.mdx, which are sibling-traversals (no docs/ in the literal path). Use a pattern that requires at least one nested path segment so any nested .md link gets rewritten to .mdx, while root-level self-refs (./SECURITY.md, ./README.md) remain untouched. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…4d231b) My regeneration in 5f297fa inadvertently overrode the canonical `bg=#0a1d2a` value that 54d231b explicitly restored. The local OpenTUI native bindings render the empty input placeholder with the parent box's `bgRaised` (#0f2638) but the source explicitly sets `backgroundColor={palette.bg}` on the input — CI is right, local is wrong here. Hand-edited row 12 only; the 5 version-pad changes from 5f297fa are preserved. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…urface (#1436) Followup to #1434. The original commit replaced the function's header comment with a 9-line forensic explanation of the echo bug; that wide rewrite created merge conflicts on every parallel branch that only kept the original 1-line comment (feat/channel-envelope- inbox, wish/invincible-genie, fix/1296-1298-team-lead-role-vs- identity were all blocked). Shrunk the new comment to 5 lines and dropped the inline 6-line basename-history comment — they were narrative, not load-bearing. Issue ref (#1434) is enough breadcrumb for anyone who wants the detail; PR description carries the full root cause analysis. Behavior unchanged. 19/19 tests still pass. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The previous regex `^(\.\.?/[^/]+/.+)\.md(#.*)?$` matched `../../SECURITY.md` because `[^/]+` greedily includes `..`. Tightened to `[^./][^/]*` so the second path component must be a real directory name, leaving root-level references like `../../SECURITY.md` (from inside docs/) untouched. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Same submodule migration as state-machine.invariants — the SQL fixture moved from docs/observability-acid-tests.sql to docs/_internal/observability-acid-tests.sql when docs/ became a git submodule (#1426). Comment-only references in src/lib/observability-flag.ts + events/schemas/executor.row.written.ts + trace-context.ts + replay-dataset/index.ts still mention the old path; those don't break tests so they can be updated in a doc sweep later. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Snyk security upgrade (uuid 11.1.0 → 14.0.0, #1438) and atomic-PID serve fix (#1430) landed on main while dev was running release prep on PR 1431. Merge main into dev to clear the package.json conflict on the dev→main release PR. Resolution: - Keep dev's pinned dependency style (no `^`) from PR #1429 ("pin every runtime dep") - Take main's uuid 14.0.0 security upgrade (pinned, no `^`) - bun.lock regenerated against the new version uuid usage in dev (`import { v4 as uuidv4 }` in src/lib/team-chat.ts + src/lib/mailbox.ts) uses the stable v4 API — no migration needed for v14. Authorized by user (felipe@namastex.io) for direct push to dev to resolve PR 1431 conflict. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Auto-version commit ba584e6 bumped 4.260427.10 → 4.260428.2 (11 char version → 10 char version), shortening the rendered "genie vX.Y.Z" line by 1 trailing space. Auto-version commits skip CI by design, so the padding regression went unnoticed until cb2fdcd (merge of main into dev for PR 1431) re-triggered the visual regression suite. Diff: 5 lines, all `genie vX.Y.Z` trailing-whitespace pad. Zero behavioral change. Row-12 canonical bg (#0a1d2a) preserved because b37e523 is already in the merge base. Validated locally: 17 pass / 0 fail / 17 snapshots refreshed. Authorized by user (felipe@namastex.io) for direct push to dev as part of release-prep for PR 1431. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.